CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

QuickLens Chrome Extension Compromised to Steal Cryptocurrency and Credentials

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The QuickLens Chrome extension, initially a legitimate tool for Google Lens searches, was compromised to push malware and steal cryptocurrency and credentials from approximately 7,000 users. The malicious version 5.8, released on February 17, 2026, introduced ClickFix attacks and info-stealing functionality. The extension was removed from the Chrome Web Store by Google after the discovery. The compromised extension stripped browser security headers, communicated with a command-and-control (C2) server, and executed malicious JavaScript scripts on every page load. It targeted various cryptocurrency wallets, login credentials, payment information, and sensitive form data. The extension was sold on ExtensionHub on October 11, 2025, and ownership changed to '[email protected]' on February 1, 2026. The malicious update introduced code to fingerprint the user's country, detect the browser and operating system, and poll an external server every five minutes to receive JavaScript. The JavaScript code is stored in the browser's local storage and executed on every page load by adding a hidden 1x1 GIF <img> element. The same threat actor is behind the compromise of the QuickLens and ShotBird extensions, using an identical command-and-control (C2) architecture pattern. Users are advised to remove the extension, scan their devices for malware, and reset passwords.

Timeline

  1. 28.02.2026 21:18 2 articles · 9d ago

    QuickLens Chrome Extension Compromised to Steal Cryptocurrency and Credentials

    On February 17, 2026, a malicious version 5.8 of the QuickLens Chrome extension was released, introducing ClickFix attacks and info-stealing functionality. The extension stripped browser security headers, communicated with a C2 server, and executed malicious JavaScript scripts on every page load. It targeted various cryptocurrency wallets, login credentials, payment information, and sensitive form data. The extension was sold on ExtensionHub on October 11, 2025, and ownership changed to '[email protected]' on February 1, 2026. The malicious update introduced code to fingerprint the user's country, detect the browser and operating system, and poll an external server every five minutes to receive JavaScript. The JavaScript code is stored in the browser's local storage and executed on every page load by adding a hidden 1x1 GIF <img> element. The same threat actor is behind the compromise of the QuickLens and ShotBird extensions, using an identical command-and-control (C2) architecture pattern. Google has removed the extension from the Chrome Web Store and automatically disables it for affected users.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Fake AI Assistant Extensions in Google Chrome Web Store Exfiltrate Credentials and Monitor Emails

Over 260,000 Google Chrome users downloaded fake AI assistant extensions that steal login credentials, monitor emails, and enable remote access. Researchers at LayerX identified over 30 malicious extensions as part of a coordinated campaign called AiFrame. The extensions mimicked popular AI assistants like Claude AI, ChatGPT, Grok, and Google Gemini. The campaign used extension spraying to evade takedowns, directing users to remote infrastructure to avoid detection. The extensions exfiltrate data from Chrome and Gmail to attacker-controlled servers. LayerX warns that these extensions act as general-purpose access brokers, capable of harvesting data and monitoring user behavior. Many extensions have been removed from the Chrome Web Store, but users who downloaded them remain at risk. Additionally, cybersecurity researchers have discovered a malicious Google Chrome extension named CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoiefffl) that steals TOTP codes for Facebook and Meta Business accounts, Business Manager contact lists, and analytics data. The extension exfiltrates data to infrastructure controlled by the threat actor, including a backend at getauth[.]pro and a Telegram channel. The extension has 33 users as of writing and was first uploaded to the Chrome Web Store on March 1, 2025. About 500,000 VKontakte users have had their accounts silently hijacked through Chrome extensions masquerading as VK customization tools. The large-scale campaign has been codenamed VK Styles. The malware embedded in the extensions is designed to engage in active account manipulation by automatically subscribing users to the attacker's VK groups, resetting account settings every 30 days to override user preferences, manipulating CSRF tokens to bypass VK's security protections, and maintaining persistent control. A report published by Q Continuum found a huge collection of 287 Chrome extensions that exfiltrate browsing history to data brokers. These extensions have 37.4 million installations, representing roughly 1% of the global Chrome userbase.

Open in new tab

Stanley MaaS Offers Malicious Chrome Extensions via Chrome Web Store

A new malware-as-a-service (MaaS) called Stanley promises to publish malicious Chrome extensions on the Chrome Web Store. The service offers phishing capabilities, silent auto-installation, and custom tweaks. It supports multiple subscription tiers, with the highest tier offering full support for publishing extensions to the Chrome Web Store. The extensions overlay a full-screen iframe with malicious content while keeping the legitimate domain visible in the address bar. Stanley's distribution model focuses on bypassing Google's review process, making it a significant threat to users who trust extensions from the Chrome Web Store.

Open in new tab

DarkSpectre Campaigns Target 8.8 Million Users with Malicious Browser Extensions

A Chinese threat actor, DarkSpectre, has been linked to three malicious browser extension campaigns—ShadyPanda, GhostPoster, and The Zoom Stealer—which have collectively impacted 8.8 million users across Google Chrome, Microsoft Edge, and Mozilla Firefox over seven years. The campaigns facilitate data theft, search query hijacking, affiliate fraud, and corporate espionage by exfiltrating meeting-related data from video conferencing platforms. Additionally, five new malicious Chrome extensions impersonating HR and ERP platforms have been discovered, targeting Workday, NetSuite, and SAP SuccessFactors to hijack accounts. These extensions steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking. The extensions, some of which were recently taken down, used delayed activation and benign updates to evade detection and build trust before deploying malicious functionality. The extensions were designed to look polished and professional, with some claiming to contain security features to prevent account compromise. They engaged in a range of actions to take control of accounts, including extracting authentication cookies and uploading them to a command and control (C2) server every 60 seconds. The extensions prevented passwords from being changed to help ensure stolen access tokens remained valid indefinitely and prevented security teams from locking out compromised accounts during remediation. Administrators attempting to disable an affected user's account encountered a blank page and redirect loop. Socket recommended that organizations implement Chrome Enterprise extension allowlists to prevent installation of unauthorized extensions and monitor for extensions targeting the same enterprise platforms with similar permission requests.

Open in new tab

Sha1-Hulud Supply Chain Attack Results in $8.5 Million Trust Wallet Chrome Extension Hack

On December 24, 2025, users of the Trust Wallet Chrome extension reported significant cryptocurrency losses after a compromised update (version 2.68.0) was released. The update contained malicious code that exfiltrated sensitive wallet data to an external server. Trust Wallet confirmed the security incident and released a patched version (2.69). Losses are estimated to exceed $8.5 million, with ongoing investigations into the incident. The malicious code iterated through all wallets stored in the extension and triggered a mnemonic phrase request for each wallet. The encrypted mnemonic was decrypted using the password or passkey entered during wallet unlock and sent to the attacker's server. The stolen funds include about $3 million in Bitcoin, $431 in Solana, and more than $3 million in Ethereum. The incident has claimed hundreds of victims, and Trust Wallet is actively finalizing the process to refund the impacted users. The stolen funds have been moved through centralized exchanges and cross-chain bridges for laundering and swapping. The backdoor incident originated from malicious source code modification within the internal Trust Wallet extension codebase. The attacker directly tampered with the application's own code and leveraged the legitimate PostHog analytics library as the data-exfiltration channel. There is a possibility that the incident is the work of a nation-state actor, and Changpeng Zhao hinted that the exploit was most likely carried out by an insider. Trust Wallet confirmed that approximately 2,596 wallets were drained in the attack and received around 5,000 claims, indicating a significant number of false or duplicate submissions. Trust Wallet has launched a dedicated claim form for affected users and warned about ongoing phishing campaigns.

Open in new tab

ShadyPanda Browser Extensions Campaign Exploits 4.3M Installs

The ShadyPanda campaign has amassed over 4.3 million installations of malicious Chrome and Edge browser extensions, evolving from legitimate tools into spyware over multiple phases. The extensions, discovered by Koi Security, engaged in affiliate fraud, search hijacking, and remote code execution. The campaign remains active on the Microsoft Edge Add-ons platform, with one extension having 3 million installs. The extensions collect browsing history, search queries, keystrokes, mouse clicks, and other sensitive data, exfiltrating it to domains in China. Users are advised to remove these extensions and reset their account passwords. The ShadyPanda campaign used a supply-chain attack tactic by publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into malware via silent updates. The compromised extensions became a fully fledged remote code execution (RCE) framework inside the browser, capable of downloading and running arbitrary JavaScript with full access to the browser's data and capabilities. The extensions could steal session cookies and tokens, allowing them to impersonate entire SaaS accounts such as Microsoft 365 or Google Workspace. The risk of malicious browser extensions extends beyond individual users, as they can access cookies, local storage, cloud auth sessions, active web content, and file downloads, blurring the line between endpoint security and cloud security. Organizations should enforce extension allow lists, treat extension access like OAuth access, audit extension permissions regularly, and monitor for suspicious extension behavior to reduce the risk of malicious extensions. Modern SaaS security platforms, such as Reco's Dynamic SaaS Security platform, can help organizations monitor and detect suspicious activity related to browser extensions in real time.

Open in new tab